A newly disclosed local privilege escalation vulnerability affecting major Linux distributions may already be exploited in the wild.
The exploit, named Dirty Frag and Copy Fail 2, chains two flaws tracked as CVE-2026-43284 and CVE-2026-43500, allowing an unprivileged user to escalate permissions to root.
Researcher Hyunwoo Kim responsibly disclosed the vulnerability, but someone made it public before patches could be released, prompting Kim to make the technical details and PoC code available.
“Because it is a deterministic logic bug that does not depend on a timing window, no race condition is required, the kernel does not panic when the exploit fails, and the success rate is very high,” Kim explained.
The vulnerabilities affect the xfrm-ESP (IPsec) and RxRPC components of the Linux kernel, with the greatest impact on hosts that do not run container workloads. In container deployments, an attacker may be able to exploit Dirty Frag to escape a container, but this has yet to be demonstrated, Ubuntu developers noted.
Dirty Frag is similar to Dirty Pipe, a vulnerability that emerged in 2022, and the recently discovered flaw named Copy Fail.
Copy Fail has been exploited in the wild, and Microsoft reports that Dirty Frag may also have been exploited.
According to the tech giant, Dirty Frag can be exploited after attackers gain access to the targeted system, which can be achieved through various means, including compromised SSH accounts, web shell access via internet-exposed applications, abusing service accounts, container escapes to the host environment, or remote access compromise.
Microsoft said its Defender product has seen limited in-the-wild activity that could indicate exploitation of either Dirty Frag or Copy Fail.
“After gaining elevated access, the actor modifies a GLPI LDAP authentication file (evidenced by a .swp file from vim), performs reconnaissance of the GLPI directory and system configuration, and inspects an exploit artifact,” Microsoft explained.
“The activity then shifts to accessing sensitive data and interacting with PHP session files — first deleting multiple session files and then forcefully wiping additional ones — before reading remaining session data, indicating both disruption of active sessions and access to session contents,” it added.
Linux distributions have started releasing patches and mitigations for Dirty Frag, including Red Hat, Amazon Linux, Ubuntu, Fedora, and Alma Linux.
Related: OpenSSH Flaw Allowing Full Root Shell Access Lurked for 15 Years
Related: Easily Exploitable ‘Pack2TheRoot’ Linux Vulnerability Leads to Root Access
Related: Organizations Warned of Exploited Linux Vulnerabilities
